From 29c791c90e34a910350aa95dccf6358fa45ed1de Mon Sep 17 00:00:00 2001
From: David Yu <dyu@hashicorp.com>
Date: Mon, 29 Nov 2021 12:37:14 -0800
Subject: [PATCH] docs: Notes about WAN Federation when using Vault as Connect
 CA (#11143)

* docs: Notes about WAN Federation when using Vault as Connect CA

* Apply suggestions from code review

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* Update website/content/docs/connect/ca/vault.mdx

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* Update website/content/docs/connect/ca/vault.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/connect/ca/vault.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update vault.mdx

* Update vault.mdx

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
---
 website/content/docs/connect/ca/vault.mdx | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/website/content/docs/connect/ca/vault.mdx b/website/content/docs/connect/ca/vault.mdx
index c6dd47a794..3929c43ee0 100644
--- a/website/content/docs/connect/ca/vault.mdx
+++ b/website/content/docs/connect/ca/vault.mdx
@@ -120,16 +120,21 @@ The configuration options are listed below.
   exist, Consul will mount a new PKI secrets engine at the specified path with the
   `RootCertTTL` value as the root certificate's TTL. If the `RootCertTTL` is not set,
   a [`max_lease_ttl`](https://www.vaultproject.io/api/system/mounts#max_lease_ttl)
-  of 87600 hours, or 10 years is applied by default as of Consul 1.11 and later.
-
-  Prior to Consul 1.11, the root certificate TTL was set to 8760 hour, or 1 year, and
-  was not configurable.
+  of 87600 hours, or 10 years is applied by default as of Consul 1.11 and later. Prior to Consul 1.11, 
+  the root certificate TTL was set to 8760 hour, or 1 year, and was not configurable. 
+  The root certificate will expire at the end of the specified period. 
+  
+  When WAN Federation is enabled, each secondary datacenter must use the same Vault cluster and share the same `root_pki_path`
+  with the primary datacenter. 
 
 - `IntermediatePKIPath` / `intermediate_pki_path` (`string: <required>`) -
   The path to a PKI secrets engine for the generated intermediate certificate.
   This certificate will be signed by the configured root PKI path. If this
   path does not exist, Consul will attempt to mount and configure this
-  automatically.
+  automatically. 
+
+  When WAN Federation is enabled, every secondary 
+  datacenter must specify a unique `intermediate_pki_path`. 
 
 - `CAFile` / `ca_file` (`string: ""`) - Specifies an optional path to the CA
   certificate used for Vault communication. If unspecified, this will fallback